Vigil@nce: PostgreSQL, privilege elevation via PL
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can redefine a function of a procedural language,
and use a role changing mechanism, in order to elevate his
privileges on PostgreSQL.
– Severity: 2/4
– Creation date: 06/10/2010
DESCRIPTION OF THE VULNERABILITY
PostgreSQL supports several procedural languages: PL/perl, PL/tcl,
PL/PHP, etc.
When a function is created, the "SECURITY" attribute can be used:
SECURITY DEFINER : function is run with rights of the user who
created the function
SECURITY INVOKER : function is run with rights of the user who
called the function
An attacker connected to the database can redefine a standard
function in PL/perl, PL/tcl or PL/PHP. He can then call a SECURITY
DEFINER function created by a privileged user, and calling the
function he redefined. The attacker thus gains privileges of this
user.
A similar attack can be created with the SET ROLE and SET SESSION
AUTHORIZATION privilege changing features.
A local attacker can therefore redefine a function of a procedural
language, and use a role changing mechanism, in order to elevate
his privileges on PostgreSQL.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PostgreSQL-privilege-elevation-via-PL-10005